Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some question about snort3 appid inspector

From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 11 Mar 2021 20:54:52 +0000
Hello,

We will first need http_inspect to inspect HTTP flows. For that you will need to enable stream, stream_tcp and 
http_inspect. Also, you will need to bind HTTP traffic to http_inspect which you can do with default_wizard.

For detecting HTTP payload apps such as Facebook, Twitter, etc, you will need the Openappid Detector Package (ODP). ODP 
is available at https://snort.org/downloads. You will need to point to the location containing the extracted ODP with 
the configuration appid.app_detector_dir.

Here’s an example configuration file:



dofile('<path to snort_defaults.lua>')



stream = {}

stream_tcp = {}

http_inspect = { }

wizard = default_wizard



appid =

{

    app_detector_dir = '<path to extracted ODP>',

}

If that doesn’t work, can you please share the snort Lua configuration file?

Thanks,
Shravan

________________________________
From: Sitao "Tony" Cheng <sitaotonycheng () foxmail com>
Sent: Thursday, March 11, 2021 4:29 AM
To: snort-sigs <snort-sigs () lists snort org>; Russ Combs (rucombs) <rucombs () cisco com>
Subject: some question about snort3 appid inspector

Hello,
    Thank you so much for your reading my e-mail!
    I am using snort3 as an IPS system, switching from snort 2. When using appid inspector for application 
identification, I configure the appid, http_inspect and some other Dependency Requirements. But it just cannot 
recoginize http applications when I use the command "-r *.pcap", while SMTP\POP\IMAP pcaps are fine. Things runs 
correctly in snort 2  when using the same pcap file. I know that I missed something needed to configure. Can you give 
me some clues?
    I would appreciate it so much for you time.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: